[Dshield] Tens of thousands of http gets for the same .gif/.jpg

Tom Liston tliston at premmag.com
Fri Nov 8 14:54:59 GMT 2002


Here's a thought.  What do you have recording these requests?  Could 
*it* be the problem?  In other words, have you any alternate way of 
confirming that these requests *actually* took place?

-TL

On 7 Nov 2002 at 20:29, J. Foobar wrote:

> First off, thanks for the replies so far.
> 
> I don't think this has anything to do with ephemeral
> content.
> 
> The first incident like this I noticed involved over
> 300,000 http gets for this file:
> 
> http://www.peterindia.com/swecre61.jpg
> 
> In about a 30-40 minute period.  This is a background
> texture .jpg.
> 
> I am pretty sure that the internal user was not even
> at his/her desk when this happened, but he/she had
> surfed to this site several hours before and then
> there was no traffic from this machine at all for
> several hours.  
> 
> Another one I found from 10/31. 
> 
> http://209.249.249.170/cc-production/images/playing.gif
> 
> Again, small and static content.  It is an IP owned by
> a public radio station of memory serves.  The requests
> did not come at quite the fevered pitch as the one
> above, 30000+ requests in a little over 3 hours.
> 
> A week later (yesterday), the same IP again made
> 28000+ requests to the exact same .gif, this time over
> a 5-hour period.
> 
> Weird.
> 
> Thanks,
> Justin
> 
> --- Tony Nichols <tony at mail.applog.com> wrote:
> > Could it be one of those websites that update the
> > images every few
> > seconds like a weather map? Or maybe a webcam ?
> > 
> > T o n y
> > 
> > 
> > -----Original Message-----
> > From: list-admin at dshield.org
> > [mailto:list-admin at dshield.org] On Behalf
> > Of J. Foobar
> > Sent: Thursday, November 07, 2002 5:17 AM
> > To: list at dshield.org
> > Subject: [Dshield] Tens of thousands of http gets
> > for the same .gif/.jpg
> > 
> > 
> > I'm hoping that someone can steer me in a useful
> > direction on this.
> > 
> > We recently starting doing some serious audits of
> > internal web use, based largely on bandwidth usage
> > and connection count
> > information parsed from our firewall logs.  I work
> > for an organization
> > with about 100,000 internal network-connected
> > workstations.
> > 
> > What I have been periodically seeing is a
> > workstation
> > that racks up huge amounts of http connections in a
> > 24-hour period.  A close look at the traffic dump
> > for
> > the user shows that the workstation performed tens
> > of
> > thousands of http gets on a web-based .jpg or .gif
> > in
> > a short about of time.  Today I found one that
> > racked
> > up 50,000 plus, all for the same .gif, in under an
> > hour.
> > 
> > I have found four of these in the past couple of
> > weeks, all different internal systems with no rhyme
> > or
> > reason to the "targets."  One was a doppler weather
> > map on a local news web site, another was a
> > background
> > texture .gif on an obscure IT portal site.  In at
> > least one case, the user surfed to the target site
> > during business hours and probably left his/her
> > browser open.  Then, several hours later after
> > he/she
> > almost certainly had gone home, 100000+ http gets
> > for
> > the same .jpg starting at 9pm and lasting a few
> > hours.
> >  Then, it stopped.
> > 
> > Browser configuration problem, flaky behavior
> > inherent
> > to IE (mostly 5.0 and 5.5), malware of some sort? 
> > What does this smell like?
> > 
> > I am really not much a client systems guy,
> > especially
> > when it comes to MS-schtuff, so I'm really not sure
> > what to look for when I discover these.
> > 
> > Thanks in advance,
> > Justin
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > U2 on LAUNCH - Exclusive greatest hits videos
> > http://launch.yahoo.com/u2
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or
> > unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> > 
> > Tracking #: E20736E1B502DB4CB3BD39746C7FEEB21C8FDE5F
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or
> > unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> __________________________________________________
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive greatest hits videos
> http://launch.yahoo.com/u2
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list